Skip to content

Commit 77d748a

Browse files
committed
JS: "return" flow through callbacks
1 parent 821a7bf commit 77d748a

File tree

4 files changed

+112
-8
lines changed

4 files changed

+112
-8
lines changed

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

Lines changed: 44 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -660,7 +660,7 @@ private predicate flowThroughProperty(
660660
* All of this is done under configuration `cfg`, and `arg` flows along a path
661661
* summarized by `summary`, while `cb` is only tracked locally.
662662
*/
663-
private predicate higherOrderCall(
663+
private predicate summarizedHigherOrderCall(
664664
DataFlow::Node arg, DataFlow::Node cb, int i, DataFlow::Configuration cfg, PathSummary summary
665665
) {
666666
exists (Function f, DataFlow::InvokeNode outer, DataFlow::InvokeNode inner, int j,
@@ -676,12 +676,52 @@ private predicate higherOrderCall(
676676
// indirect higher-order call
677677
exists (DataFlow::Node cbArg, PathSummary newSummary |
678678
cbParm.flowsTo(cbArg) and
679-
higherOrderCall(innerArg, cbArg, i, cfg, newSummary) and
679+
summarizedHigherOrderCall(innerArg, cbArg, i, cfg, newSummary) and
680680
summary = oldSummary.append(PathSummary::call()).append(newSummary)
681681
)
682682
)
683683
}
684684

685+
/**
686+
* Holds if `arg` is passed as the `i`th argument to `callback` through a callback invocation.
687+
*
688+
* This can be a summarized call, that is, `arg` and `callback` flow into a call,
689+
* `f(arg, callback)`, which performs the invocation.
690+
*
691+
* Alternatively, the callback can flow into a call `f(callback)` which itself provides the `arg`.
692+
* That is, `arg` refers to a value defined in `f` or one of its callees.
693+
*/
694+
predicate higherOrderCall(
695+
DataFlow::Node arg, DataFlow::SourceNode callback, int i, DataFlow::Configuration cfg,
696+
PathSummary summary
697+
) {
698+
// Summarized call
699+
exists (DataFlow::Node cb |
700+
summarizedHigherOrderCall(arg, cb, i, cfg, summary) and
701+
callback.flowsTo(cb)
702+
)
703+
or
704+
// Local invocation of a parameter
705+
isRelevant(arg, cfg) and
706+
exists (DataFlow::InvokeNode invoke |
707+
arg = invoke.getArgument(i) and
708+
invoke = callback.(DataFlow::ParameterNode).getACall() and
709+
summary = PathSummary::call()
710+
)
711+
or
712+
// Forwarding of the callback parameter (but not the argument).
713+
// We use a return summary since flow moves back towards the call site.
714+
// This ensures that an argument that is only tainted in some contexts cannot flow
715+
// out to every callback.
716+
exists(DataFlow::Node cbArg, DataFlow::SourceNode innerCb, PathSummary oldSummary |
717+
higherOrderCall(arg, innerCb, i, cfg, oldSummary) and
718+
callStep(cbArg, innerCb) and
719+
callback.flowsTo(cbArg) and
720+
summary = PathSummary::return().append(oldSummary)
721+
)
722+
}
723+
724+
685725
/**
686726
* Holds if `pred` is passed as an argument to a function `f` which also takes a
687727
* callback parameter `cb` and then invokes `cb`, passing `pred` into parameter `succ`
@@ -693,12 +733,8 @@ private predicate higherOrderCall(
693733
private predicate flowIntoHigherOrderCall(
694734
DataFlow::Node pred, DataFlow::Node succ, DataFlow::Configuration cfg, PathSummary summary
695735
) {
696-
exists(
697-
DataFlow::Node fArg, DataFlow::FunctionNode cb,
698-
int i, PathSummary oldSummary
699-
|
700-
higherOrderCall(pred, fArg, i, cfg, oldSummary) and
701-
cb = fArg.getALocalSource() and
736+
exists(DataFlow::FunctionNode cb, int i, PathSummary oldSummary |
737+
higherOrderCall(pred, cb, i, cfg, oldSummary) and
702738
succ = cb.getParameter(i) and
703739
summary = oldSummary.append(PathSummary::call())
704740
)

javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -264,6 +264,12 @@ predicate callback(DataFlow::Node arg, DataFlow::SourceNode cb) {
264264
callStep(cbArg, cbParm) and
265265
cb.flowsTo(cbArg)
266266
)
267+
or
268+
exists (DataFlow::ParameterNode cbParm, DataFlow::Node cbArg |
269+
callback(arg, cbParm) and
270+
callStep(cbArg, cbParm) and
271+
cb.flowsTo(cbArg)
272+
)
267273
}
268274

269275
/**

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,14 @@
11
| advanced-callgraph.js:2:13:2:20 | source() | advanced-callgraph.js:6:22:6:22 | v |
2+
| callbacks.js:4:6:4:13 | source() | callbacks.js:34:27:34:27 | x |
3+
| callbacks.js:4:6:4:13 | source() | callbacks.js:35:27:35:27 | x |
4+
| callbacks.js:5:6:5:13 | source() | callbacks.js:34:27:34:27 | x |
5+
| callbacks.js:5:6:5:13 | source() | callbacks.js:35:27:35:27 | x |
6+
| callbacks.js:25:16:25:23 | source() | callbacks.js:47:26:47:26 | x |
7+
| callbacks.js:25:16:25:23 | source() | callbacks.js:48:26:48:26 | x |
8+
| callbacks.js:37:17:37:24 | source() | callbacks.js:37:37:37:37 | x |
9+
| callbacks.js:44:17:44:24 | source() | callbacks.js:41:10:41:10 | x |
10+
| callbacks.js:50:18:50:25 | source() | callbacks.js:30:29:30:29 | y |
11+
| callbacks.js:51:18:51:25 | source() | callbacks.js:30:29:30:29 | y |
212
| constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:18:8:18:14 | c.taint |
313
| constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:22:8:22:19 | c_safe.taint |
414
| constructor-calls.js:10:16:10:23 | source() | constructor-calls.js:26:8:26:14 | d.taint |
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
import * as dummy from 'dummy'; // treat as module
2+
3+
function provideTaint(cb) {
4+
cb(source());
5+
cb(source());
6+
}
7+
8+
function provideTaint2(cb) {
9+
provideTaint(cb);
10+
provideTaint(cb); // suppress precision gains from functions with unique call site
11+
}
12+
13+
function forwardTaint(x, cb) {
14+
cb(x);
15+
cb(x);
16+
}
17+
18+
function forwardTaint2(x, cb) {
19+
forwardTaint(x, cb);
20+
forwardTaint(x, cb);
21+
}
22+
23+
function middleSource(cb) {
24+
// The source occurs in-between the callback definition and the callback invocation.
25+
forwardTaint(source(), cb);
26+
}
27+
28+
function middleCallback(x) {
29+
// The callback definition occurs in-between the source and the callback invocation.
30+
forwardTaint(x, y => sink(y)); // NOT OK
31+
}
32+
33+
function test() {
34+
provideTaint2(x => sink(x)); // NOT OK
35+
provideTaint2(x => sink(x)); // NOT OK
36+
37+
forwardTaint2(source(), x => sink(x)); // NOT OK
38+
forwardTaint2("safe", x => sink(x)); // OK
39+
40+
function helper1(x) {
41+
sink(x); // NOT OK
42+
return x;
43+
}
44+
forwardTaint2(source(), helper1);
45+
sink(helper1("safe")); // OK
46+
47+
middleSource(x => sink(x)); // NOT OK
48+
middleSource(x => sink(x)); // NOT OK
49+
50+
middleCallback(source());
51+
middleCallback(source());
52+
}

0 commit comments

Comments
 (0)